diff options
Diffstat (limited to 'security/docker')
-rw-r--r-- | security/docker/Dockerfile | 58 | ||||
-rw-r--r-- | security/docker/testcases.yaml | 64 |
2 files changed, 112 insertions, 10 deletions
diff --git a/security/docker/Dockerfile b/security/docker/Dockerfile index 667900f..e38f565 100644 --- a/security/docker/Dockerfile +++ b/security/docker/Dockerfile @@ -1,12 +1,58 @@ -FROM opnfv/xtesting +FROM golang:1.13 AS build_aqua +WORKDIR /go/src/github.com/aquasecurity/ +RUN git clone https://github.com/aquasecurity/kube-bench.git --depth 1 +WORKDIR /go/src/github.com/aquasecurity/kube-bench +RUN GO111MODULE=on CGO_ENABLED=0 go install -a -ldflags "-w" +FROM golang:1.13 AS build_onap +WORKDIR /opt/onap +RUN git clone https://git.onap.org/integration --depth 1 +WORKDIR /opt/onap/integration/test/security/sslendpoints +RUN CGO_ENABLED=0 go install -a -ldflags '-w -s -extldflags "-static"' + +FROM opnfv/xtesting AS run + +ARG KUBERNETES_VERSION="v1.15.2" +ARG HELM_VERSION="v2.14.1" ARG ONAP_TAG=master -ARG PIP_TAG=19.3.1 +ARG ONAP_TESTS_TAG=master + +# Install kubectl +# Note: Latest version may be found on: +# https://aur.archlinux.org/packages/kubectl-bin/ + +ADD https://storage.googleapis.com/kubernetes-release/release/${KUBERNETES_VERSION}/bin/linux/amd64/kubectl /usr/local/bin/kubectl + +COPY scripts/check_security_root.sh /check_security_root.sh +COPY scripts/root_pods_xfail.txt /root_pods_xfail.txt +COPY scripts/check_unlimitted_pods.sh /check_unlimitted_pods.sh +COPY scripts/check_cis_kubernetes.sh /check_cis_kubernetes.sh +COPY --from=build_aqua /go/bin/kube-bench /usr/local/bin/kube-bench +COPY --from=build_aqua /go/src/github.com/aquasecurity/kube-bench/cfg/ /cfg/ +COPY --from=build_onap /go/bin/sslendpoints /usr/local/bin/sslendpoints -COPY requirements.txt requirements.txt -RUN apk --no-cache add --virtual .build-deps --update \ - openssl-dev libjpeg-turbo-dev && \ +RUN set -x && \ + apk --no-cache add --update curl ca-certificates openssl procps util-linux \ + nmap nmap-scripts && \ + apk --no-cache add --virtual .build-deps --update \ + python3-dev linux-headers gcc musl-dev && \ + chmod +x /usr/local/bin/kubectl && \ + git clone --depth 1 https://github.com/aquasecurity/kube-hunter.git /kube-hunter && \ + adduser kubectl -Du 2342 -h /config && \ + wget https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VERSION}-linux-amd64.tar.gz -O - | tar -xzO linux-amd64/helm > /usr/local/bin/helm && \ + wget -O /check_for_nonssl_endpoints.sh https://git.onap.org/integration/plain/test/security/check_for_nonssl_endpoints.sh?h=$ONAP_TAG &&\ + wget -O /check_for_jdwp.sh https://git.onap.org/integration/plain/test/security/check_for_jdwp.sh?h=$ONAP_TAG &&\ + wget -O /jdwp_xfail.txt https://git.onap.org/integration/plain/test/security/jdwp_xfail.txt?h=$ONAP_TAG &&\ + wget -O /nonssl_xfail.txt https://git.onap.org/integration/plain/test/security/nonssl_xfail.txt?h=$ONAP_TAG &&\ + chmod +x /usr/local/bin/helm && \ + chmod +x /usr/local/bin/kube-bench && \ + chmod +x /usr/local/bin/sslendpoints && \ + chmod +x /check_*.sh && \ + pip3 install --upgrade pip && \ + pip3 install --no-cache-dir \ + git+https://gitlab.com/Orange-OpenSource/lfn/onap/integration/xtesting.git@$ONAP_TESTS_TAG#subdirectory=security && \ + cd /kube-hunter && pip3 install -r /kube-hunter/requirements.txt && \ apk del .build-deps COPY docker/testcases.yaml /usr/lib/python3.8/site-packages/xtesting/ci/testcases.yaml -CMD ["run_test -t all -r"] +CMD ["run_tests", "-t", "all"] diff --git a/security/docker/testcases.yaml b/security/docker/testcases.yaml index ed281f2..6b9d482 100644 --- a/security/docker/testcases.yaml +++ b/security/docker/testcases.yaml @@ -8,11 +8,67 @@ tiers: Set of basic Functional security tests. testcases: - - case_name: osji - project_name: integration + case_name: root_pods + project_name: security criteria: 100 blocking: false description: >- - run osji scan. + test if pods are run in root. run: - name: 'onap_osji' + name: 'root_pods' + - + case_name: unlimitted_pods + project_name: security + criteria: 100 + blocking: false + description: >- + test if pods are run without limit. + run: + name: 'unlimitted_pods' + - + case_name: cis_kubernetes + project_name: security + criteria: 100 + blocking: false + description: >- + test if kubernetes install is CIS compliant. + run: + name: 'cis_kubernetes' + - + case_name: http_public_endpoints + project_name: security + criteria: 100 + blocking: false + description: >- + Check all ports exposed outside of kubernetes cluster + looking for plain http endpoint. + run: + name: 'http_public_endpoints' + - + case_name: nonssl_endpoints + project_name: security + criteria: 100 + blocking: false + description: >- + Check that all ports exposed outside of kubernetes cluster + use SSL tunnels. + run: + name: 'nonssl_endpoints' + - + case_name: jdpw_ports + project_name: security + criteria: 100 + blocking: false + description: >- + Check that no jdwp ports are exposed + run: + name: 'jdpw_ports' + - + case_name: kube_hunter + project_name: security + criteria: 100 + blocking: false + description: >- + Check k8s CVE. + run: + name: 'kube_hunter' |